IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including tools for passive recon (flow analytics relying on Bro, Argus, Nfdump, fingerprint analytics based on Bro and p0f and active recon (IVRE uses Nmap to run scans, can use ZMap as a pre-scanner; IVRE can also import XML output from Nmap and Masscan).
The advertising slogans are:
- (in French): IVRE, il scanne Internet.
- (in English): Know the networks, get DRUNK!
The names IVRE and DRUNK have been chosen as a tribute to "Le Taullier".
IVRE is a framework. Meaning it does not come with ready-to-run scripts to daemonize actions, etc. You need to do that work yourself, as it strongly depends on what system you use, your environment, and what you want to do.
IVRE relies on:
-
Python 2, version 2.6 minimum
-
Bro (version 2.3 minimum), Argus, Nfdump& p0f (version 2, will not work with version 3) for the passive fingerprint and flow modules.
-
MongoDB, version 2.6 minimum (tests are run with versions 2.6.12, 3.0.14, 3.2.12, 3.4.2 and 3.5.3).
-
optionnaly Neo4j for the flow module.
-
optionnaly PostgreSQL, version 9.5 minimum (tests are run with versions 9.5.6 and 9.6.2), for the experimental PostgreSQL backend.
-
a web server (successfully tested with Apache and Nginx, should work with anything capable of serving static files and run a Python-based CGI), although a test web server is now distributed with IVRE (
ivre httpd
). -
a web browser (successfully tested with recent versions of Firefox and Chromium).
-
Maxmind GeoIP free databases.
-
optionally Tesseract, if you plan to add screenshots to your Nmap scan results
-
optionally neo4j (version >= 2) & py2neo (version >= 3) for ivre flow related tools
IVRE comes with (refer to the LICENSE-EXTERNAL file for the licenses):
See the INSTALL file. You can also try to use Docker to easily setup and run an IVRE architecture.
The following steps will show some examples of passive network recon with IVRE. If you only want active (for example, Nmap-based) recon, you can skip this part.
You need to run bro (2.3 minimum) with the option -b
and the
location of the passiverecon.bro
file. If you want to run it on the
eth0
interface, for example, run:
# mkdir logs
# LOG_PATH=logs/passiverecon \
> bro -b /usr/local/share/ivre/passiverecon/passiverecon.bro -i eth0
If you want to run it on the capture
file (capture
needs to a PCAP
file), run:
$ mkdir logs
$ LOG_PATH=logs/passiverecon \
> bro -b /usr/local/share/ivre/passiverecon/passiverecon.bro -r capture
This will produce log files in the logs
directory. You need to run a
ivre passivereconworker
to process these files. You can try:
$ ivre passivereconworker --directory=logs
This program will not stop by itself. You can (p
)kill
it, it will
stop gently (as soon as it has finished to process the current file).
You can also send the data from bro
to the database without using
intermediate files:
$ bro -b /usr/local/share/ivre/passiverecon/passiverecon.bro [option] \
> | ivre passiverecon2db
To start filling your database with information from the eth0
interface, you just need to run (passiverecon
is just a sensor name
here):
# ivre p0f2db -s passiverecon iface:eth0
And from the same capture
file:
$ ivre p0f2db -s passiverecon capture
You have two options for now:
-
the
ivre ipinfo
command line tool -
the
db.passive
object of theivre.db
Python module
For example, to show everything stored about an IP address or a network:
$ ivre ipinfo 1.2.3.4
$ ivre ipinfo 1.2.3.0/24
See the output of ivre help ipinfo
.
To use the Python module, run for example:
$ python
>>> from ivre.db import db
>>> db.passive.get(db.passive.flt_empty)[0]
For more, run help(db.passive)
from the Python shell.
The easiest way is to install IVRE on the "scanning" machine and run:
# ivre runscans --routable --limit 1000 --output=XMLFork
This will run a standard scan against 1000 random hosts on the
Internet by running 30 nmap processes in parallel. See the output of
ivre help runscans
if you want to do something else.
When it's over, to import the results in the database, run:
$ ivre scan2db -c ROUTABLE-CAMPAIGN-001 -s MySource -r scans/ROUTABLE/up
Here, ROUTABLE-CAMPAIGN-001
is a category (just an arbitrary name
that you will use later to filter scan results) and MySource
is a
friendly name for your scanning machine (same here, an arbitrary name
usable to filter scan results; by default, when you insert a scan
result, if you already have a scan result for the same host address
with the same source, the previous result is moved to an "archive"
collection (fewer indexes) and the new result is inserted in the
database).
There is an alternative to installing IVRE on the scanning machine
that allows to use several agents from one master. See the
AGENT file, the program ivre runscansagent
for the
master and the agent/
directory in the source tree.
You have three options:
-
the
ivre scancli
command line tool -
the
db.nmap
object of theivre.db
Python module -
the web interface
To get all the hosts with the port 22 open:
$ ivre scancli --port 22
See the output of ivre help scancli
.
To use the Python module, run for example:
$ python
>>> from ivre.db import db
>>> db.nmap.get(db.nmap.flt_empty)[0]
For more, run help(db.nmap)
from the Python shell.
The interface is meant to be easy to use, it has its own documentation.
IVRE is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
IVRE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with IVRE. If not, see the gnu.org web site.
Try ivre help
for the CLI commands, help()
under Python and the
"HELP" button in the web interface.
Have a look at the FAQ!
Feel free to contact the author and offer him a beer if you need help!
If you don't like beer, a good scotch or any other good alcoholic beverage will do (it is the author's unalienable right to decide whether a beverage is good or not).
Code contributions (pull-requests) are of course welcome!
The project needs scan results and capture files that can be provided as examples. If you can contribute some samples, or if you want to contribute some samples and would need some help to do so, or if you can provide a server to run scans, please contact the author.
For both support and contribution, the repository on Github should be used: feel free to create a new issue or a pull request!
You can also try to use the e-mail dev
on the domain ivre.rocks
,
or to join the IRC chan #ivre on
Freenode.
This file is part of IVRE. Copyright 2011 - 2017 Pierre LALET